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Abstract. Coin flipping is a cryptographic primitive for which strictly 
better protocols exist if the players are not only allowed to exchange 
classical, but also quantum messages. During the past few years, several 
results have appeared which give a tight bound on the range of imple- 
mentable unconditionally secure coin flips, both in the classical as well as 
in the quantum setting and for both weak as well as strong coin flipping. 
But the picture is still incomplete: in the quantum setting, all results 
consider only protocols with perfect correctness, and in the classical set- 
ting tight bounds for strong coin flipping are still missing. 
We give a general definition of coin flipping which unifies the notion of 
strong and weak coin flipping (it contains both of them as special cases) 
and allows the honest players to abort with a certain probability. We give 
tight bounds on the achievable range of parameters both in the classical 
and in the quantum setting. 

1 Introduction 

Coin flipping (or coin tossing) as a cryptographic primitive has been introduced 
by Blum [5] and is one of the basic building blocks of secure two-party compu- 
tation [21 j - 

Coin flipping can be defined in several ways. The most common definition, 
sometimes called strong coin flipping, allows two honest players to receive a 
uniform random bit c G {0, 1}, such that a dishonest player cannot increase the 
probability of any output. A dishonest player may, however, abort the protocol, 
in which case the honest player gets the erasure symbol A as output A weaker 
definition, called weak coin flipping, only requires that each party cannot increase 
the probability of their preferred value. 

Without any additional assumptions, unconditionally secure weak coin flip- 
ping (and therefore also strong coin flipping) cannot be implemented by a classi- 
cal protocol. This follows from a result by Hofhcinz, Mullcr-Quade and Unruh [9], 

3 The dishonest player may abort after receiving the output bit, but before the 
honest player gets the output bit. This allows cases where the honest player gets, for 
example, with probability 1/2 and A otherwise. There exists also a definition of coin 
flipping where a dishonest player does not have this unfair advantage, and the honest 
player must always get a uniformly random bit, no matter what the other player does. 
See [7112116] , 



which implies that if two honest players always receive the same uniform bit, 
then there always exists one player that can force the bit to be his preferred 
value with certainty. 

If the players can communicate using a quantum channel, unconditionally 
secure coin flipping is possible to some extent. The bounds of the possibilities 
have been investigated by a long line of research. Aharanov et al. |T] presented 
a strong coin flipping protocol where no quantum adversary can force the out- 
come to a certain value with probability larger than 0.914. This bound has been 
improved by Ambainis [2] and independently by Spekkens and Rudolph |18j to 
0.75 (see also [5] for a different protocol). For weak coin flipping, Spekkens and 
Rudolph pjj] presented a protocol where the dishonest player cannot force the 
outcome to its preferred value with probability larger than l/y/2 ss 0.707. (Inde- 
pendently, Kerenidis and Nayak [10] showed a slightly weaker bound of 0.739.) 
This bound has further been improved by Mochon, first to 0.692 [13] and finally 
to 1/2 + e for any constant e > [TS], therefore getting arbitrarily close to the 
theoretical optimum. For strong coin nipping, on the other hand, this is not 
possible, since it has been shown by Kitaev QT| (see [3] for a proof) that for 
any quantum protocol there is always a player able to force an outcome with 
probability at least l/y/2. Chailloux and Kerenidis [5] showed that a bound of 
l/y/2 + e for any constant e > can be achieved, by combining two classical 
protocols with Mochon's result: They first showed that an unbalanced weak coin 
flip can be implemented using many instances of weak coin flips, and then that 
one instance of an unbalanced weak coin flip suffices to implement a strong coin 
flip with optimal achievable bias. 

1.1 Limits of previous Results 

In all previous work on quantum coin flipping, honest players are required to 
output a perfect coin flip, i.e., the probability of both values has to be exactly 1/2, 
and the players must never disagree on the output or abort. However, in practice 
the players may very well be willing to allow a small probability of error even if 
both of them are honest. Furthermore, a (quantum) physical implementation of 
any protocol will always contain some noise and, therefore, also some probability 
to disagree or abort. This requirement is, therefore, overly strict and raises the 
question how much the cheating probability can be reduced when allowing an 
error of the honest players. 

It is well-known that there exist numerous cryptographic tasks where allowing 
an (arbitrarily small) error can greatly improve the performance of the protocol. 
For example, as shown in [4], the amount of secure AND gates (or, alternatively, 
oblivious transfers) needed between two parties to test equality of two strings is 
only 0(logl/e) for any small error e > 0, while it is exponential in the length 
of the inputs in the perfect case. Considering reductions from oblivious transfer 
to different variants of oblivious transfer where the players can use quantum 
communication, it has recently been shown that introducing a small error can 
reduce the amount of oblivious transfer needed by an arbitrarily large factor [20] . 



It can easily be seen that some improvement on the achievable parameters 
must be possible also in the case of coin flipping: In any protocol, the honest 
players can simply flip the output bit with some probability. This increases the 
error, but decreases the bias. In the extreme case, the two players simply flip 
two independent coins and output this value. This prohibits any bias from the 
adversary, at the cost of making the players disagree with probability 1/2. 

The only bounds on coin flipping we are aware of allowing for an error of the 
honest players have been given in the classical setting. An impossibility result for 
weak coin flipping has been given in [3] . Nguyen, Frison, Phan Huy and Massar 
presented in [17] a slightly more general bound and a protocol that achieves the 
bound in some cases. 

1.2 Contribution 

We introduce a general definition of coin flipping, characterized by 6 parameters, 
which we denote by 

CF(poo,pii,po*,Pi*ij»*o,P*i) ■ 

The value pu (where i G {0, 1}) is the probability that two honest players output 
i and the value p« (pi* ) is the maximal probability that the first (second) player 
can force the honest player to output i. With probability 1 — poo — pu, two 
honest players will abort the protocol and output a dummy symbolQ This new 
definition has two main advantages: 

— It generalizes both weak and strong coin flipping, but also allows for addi- 
tional types of coin flips which are unbalanced or lay somewhere between 
weak and strong. 

— It allows two honest players to abort with some probability. 

We will first consider classical protocols (Section[3]), and give tight bounds for 
all parameters. The impossibility result (Lemma|5) uses a similar proof technique 
as Theorem 7 in [9] . In combination with two protocols showing that this bound 
can be reached (Lemma [4]) , we obtain the following theorem. 

Theorem 1. Let PooiPiiiPo*tPi*iP*OiP*i € [0,1]. There exists a classical pro- 
tocol that implements an unconditionally secure CF(p 0:Pii>Po*?Pi* 5 P*o?P*i) if 
and only if 

Poo < Po*P*o , 
Pu < Pi*P*i , and 
Poo +Pu < Pa*P*o +Pi*P*i - max(0,p * +Pi* - 1) max(0, p* + P*i - 1) • 

4 Similar to [5], we can require that two honest players always output the same 
values, since the players can always add a final round to check if they have the same 
value and output the dummy symbol if the values differ. 



For weak coin nipping, i.e., p*i = 1 and po* = 1, the bound of Theorem [T] 
simplifies to the condition that poo < P*o, Pn < Pi*, and 

1 - Poo - Pn > (1 - P*o)(l - Pi*) ; 

which is the bound that is also implied by Theorem 7 in [3]. 

In Section 01 we consider the quantum case, and give tight bounds for all 
parameters. The quantum protocol (Lemma HOj) bases on one of the protocols 
presented in [5J, and is a classical protocol that uses an unbalanced quantum 
weak coin flip as a resource. The impossibility result follows from the proof of 
Kitacv's bound on quantum strong coin flipping fLcmma lll[) . 

Theorem 2. Let Poo>Pii,Po*,Pi*,P*o,P*i 6 [0,1]- For any e > 0, there exists a 
quantum protocol that implements an unconditionally secure CF(poo,PiijPo* + 
s,Pu + £,p* + e,P*i + e) if 

Poo < Po*P*o , 
Pn < Pi*P*i j and 
Poo +Pu < 1 • 

If these bounds are not satisfied then there does not exist a quantum protocol for 
e = 0. 
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Fig. 1. For values po* = P*o = Pi* = P*i = 3/4, this figure shows the achievable 
values of poo an d Pn in the classical and the quantum setting. The light grey 
area is the set of all coin flips that can be defined. (See Definition [T]) 

Our results, therefore, give the exact trade-off between weak vs. strong coin 
flipping, between bias vs. abort-probability, and between classical vs. quantum 



coin nipping. (Some of these trade-offs arc shown in Figures [T] and O) They 
imply, in particular, that quantum protocols can achieve strictly better bounds 
if po* + Pi* > 1 and p*o + P*i > 1- Outside this range classical protocols attain 
the same bounds as quantum protocols. 

Since the optimal quantum protocol is a classical protocol using quantum 
weak coin flips as a resource, the possibility to do weak coin flipping, as shown 
by Mochon [15], can be seen as the crucial difference between the classical and 
the quantum case. 




Fig. 2. This graph shows the optimal bounds for symmetric coin flipping of 
the form CF((1 — a)/2, (1 — a)/2,p»,p*,p»,p»). The value p* is the maximal 
probability that any player can force the coin to be a certain value, and a is the 
abort probability. Therefore, the smaller p* for a fixed value of a, the better is the 
protocol. The definition of coin flipping (Definition [T]) implies that p* > (1 — a)/2. 
Hence, the theoretically optimal bound is p* = (1 — a)/2. In the quantum case, 
the optimal achievable bound is p* = — a)/2. In the classical case the 
optimal achievable bound is = 1 — yj a/2 for a < 1/2 and the same as the 
quantum bound for a > 1/2. The best previously known classical lower bounds 
from |9I17| was p* > 1 — y/a. 



2 Preliminaries 

In a classical protocol, the two players (Alice and Bob) are restricted to classical 
communication. Both players are given unlimited computing power and memory, 
and are able to locally sample random variables from any distribution. In a 



quantum protocol, the two players may exchange quantum messages. They have 
unlimited quantum memory and can perform any quantum computation on it. 
All operations are noiseless. At the beginning of the protocol, the players do not 
share any randomness or entanglement. While honest players have to follow the 
protocol, we do not make any assumption about the behaviour of the malicious 
players. We assume that the adversary is static, i.e., any malicious player is 
malicious from the beginning. Furthermore, we require that the protocol has a 
finite number of rounds. 

Definition 1. Let Poo,Pn,Po*,Pi*,P*o,P*i € [0,1], such that p 00 + p n < 1, 
Poo < nrin{po*,P*o} and pn < min{pi*,p*i} /ioMs]£] A protocol implements a 
CF(poo,Pii 1 Po*tPi*iP*OiP*i), if the following conditions are satisfied: 

— If both players are honest, then they output the same value i € {0, 1} with 
probability pa and A with probability 1 — poo — Pn- 

— For any dishonest Alice, the probability that Bob outputs is at most p*o, 
and the probability that he outputs 1 is at most p*\. 

— For any dishonest Bob, the probability that Alice outputs is at most po*, 
and the probability that she outputs 1 is at mostpi*. 

Definition [TJ generalizes the notion of both weak and strong coin flips and 
encompasses, in fact, the different definitions given in the literature. 



— A perfect weak coin flip is a 
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— A perfect strong coin flip is a 
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— The weak coin flip with error e > of [T5] is a 

CF | -, -.1, - +e,- +£. 
V.2' 2' '2 '2 

— The unbalanced weak coin flip WCF(z,e) of [6] is a 

CF (z, 1 - z, 1, 1 - z + e, z + e, 1) . 

— The strong coin flip of JB] is a 

/111 1 1 1 

CF U'2'71 + £ '71 + £ 'vf + £ 'vf 4 



The last two conditions are implied by the fact that a dishonest player can always 
behave honestly. Hence, he can always bias the coin to i G {0, 1} with probability pa. 



Note that CF(poo,Pii,Po*>Pi*)P*0)P*i) can also be defined as an ideal func- 
tionality that is equivalent to the above definition. Such a functionality would 
look like this: If there is any corrupted player, then the functionality first asks 
him to send a bit b £ {0, 1} that indicates which value he prefers. The func- 
tionality then flips a coin c <E {0, 1, A}, where the probabilities depend on b and 
on which player is corrupted. For example, if the first player is corrupted and 
6 = 0, then c = will be chosen with probability p* , c — 1 with probability 
minfj}*!, 1 — p* ) an d A otherwise. The functionality then sends c to the adver- 
sary, and the adversary chooses whether he wants to abort the protocol or not. 
If he does not abort, the honest player receives c (which might already be A), 
and A otherwise. If none of the players are corrupted, the functionality chooses 
a value c £ {0, 1, A} which takes on j € {0, 1} with probability pa and sends c 
to the two players. 

3 Classical Coin Flipping 
3.1 Protocols 



Protocol CoinFlipl: 

Parameters: po*,Pi*,P*o,P*i £ [0, 1], Po* + Pi* < 1. 

1. Alice flips a three- valued coin a such that the probability that a = i is 
Pi* for i = {0, 1}, and a = A otherwise. She sends a to Bob. 

2. If a = A, Bob outputs b = A. If a ^ A, Bob flips a coin b such that 
b = a with probability p* a and b = A otherwise. Bob sends b to Alice 
and outputs b. 

3. If b = a Alice outputs b, otherwise A. 



Lemma 1. If either po* +pi* < 1 orp*o +p*i < 1, then there exists a classical 
coin-flipping protocol with poo = Po*P*o o,nd p\\ = pi*p*i . 

Proof. If po* +pi* < 1, they use Protocol CoinFlipl. (If p*o +P*i < 1, they 
exchange the role of Alice and Bob.) By construction, a malicious Bob cannot 
bias Alice's output by more than p,*, and a malicious Alice cannot bias Bob's 
output by more than p»j. Honest players output the value with probability 
Po*P*o and 1 with probability pi*p*i. □ 



Protocol CoinFlip2: 

Parameters: p, xq, x\, tjq, y\ £ [0,1]. 

1. Alice flips a coin a £ {0, 1} such that a = with probability p and sends 
it to Bob. 



2. Bob receives the coin a and flips a coin b 6 {0, 1} such that the proba- 
bility that b = a is x a - He sends b to Alice. If b = a he outputs b. 

3. If 6 = a, then Alice outputs b. If a 7^ 6, then Alice flips a coin c, such 
that with probability c = b and else c = A. She sends c to Bob and 
outputs it. 

4. If c = 6 Bob outputs c, else A. 



Lemma 2. //po* + Pi* > 1, P*o + P*i > 1, Poo < Po*P*o, Pn <Pi*P*i, and 

Poo +P11 = Po*P*o + pi*p*i - (po* +Pi* - l)(p*o + P*i - 1) (1) 

then there exists a classical protocol implementing CF(poo,Pii7Po*,Pi*,P*o,P*i)- 

Proof. We use Protocol CoinFlip2 and choose the parameters 

Po* -p Pi* +P - 1 Poo - Po* + Po*P*i 

X% ■= P*i , yo ■= — , yi ■= , p := ■ : — ■ 

l—p p p*o+P*i-l 

Note that if p = 1 then yo is undefined (and the same holds for yi if p = 0), 
but this does not cause any problem since in this case the parameter yo is never 
used in the protocol. 

We now verify that these parameters are between and 1. We have yo,yi € 
[0, 1], if p G [1 — Pu,Po*]- To see that p lies indeed in this interval, note that the 
upper bound follows from 

Poo - Po* + Po*P*i . Po*P*o - Po* + Po*P*i Po* (p*o + P*i - 1) 

P = S = = Po* ■ 

p*o + p*i - 1 p*o +P*i — 1 p*o + p*i - 1 

For the lower bound, note that 

P*o + p*i - 1 poo - Po* + Po*P*i 



1-P 



p*o + p*i - 1 p*o + p*i - 1 
P*o + p*i - 1 - Poo + Po* - p *p*l 

P*o +p*i - 1 
Pi*p*o - Pi* +P11 



(2) 



p*o +p*i - 1 
where we have used that 

P*o + P*i - 1 - Poo + Po* - Po*P*i 

= P,o +p*i - 1 - (po*P*o +Pi*p*i - (po* +Pi* - l)(p*o +P*i - 1) -P11) 
+ Po* - Po*P*i 

= P*o +P*i — 1 — Po*P*o - Pi*P*i + Po*P*o + Po*P*i - Po* + Pi*P*o + Pl*P*l 

- pi* - p* - p*i + 1 + P11 + Po* - Po*P*i 
= pi*p*o - pi* +pn • 



Therefore 

Pn -Pi* +Pi*P*o . , P*\P\* -Pi* +Pi*P*o i 

P = 1 : : > 1 : : = 1 - p U . 

P*0+P*l-1 P*o+p*i-l 

It follows that p, xo, xi, yo, y\ € [0, 1]. 

If both players are honest, then the probability that they both output is 

px + (1 - p)(l - xi)y = P^o + (1 - p)(l - — - 

1 -p 

= PP*o + (1 - P*i)(po* - p) 

= PP*o -p(l -P*i) +Po*(! -P*i) 

Poo -Po* + Po*P*i , . i\ , n \ 

= ; : (p*o +P*1 — 1J +Po*(l -P*l) 

P*0 +P*1 — 1 

= Poo • 

The probability that they both output 1 is 

P(l - xo)y 1 + (1 - p)x 1 = p(l - p tQ ) Pl * +P — - + (1 - p)p*i 

P 

= (1 - P*o)(pi* + P - 1) + (1 ^ p)p*i 

= pi*(l - p* ) - (1 - p)(l - P*o) + (1 - p)p*i 

= Pi*(l -p*o) + (1 -p)(p*i +P*o - 1) 

d , . Pi*P*o - Pi* +Pn, . u 

= Pi*(l -p*o) H ; 1 — (P*i +P*o - 1) 

P*o +P*i — 1 

= Pn ■ 

If Alice is malicious, she can bias Bob to output value i either by sending i as 
first message hoping that Bob does not change the value, which has probability 
Xi = p«; or by sending the value 1 — i hoping that Bob changes the value, which 
occurs with probability 1 — Xi_, = 1 — p*i— % < p«- Hence, she succeeds with 
probability p*j. 

Bob can bias Alice to output value i by sending b — i independently of what 
Alice had sent as first message. For i = 0, Alice will accept this value with 
probability 

p + (1 - p)y = P + (1 - p)-^ — - = Po* 

1 -p 

and for i = 1 with probability 

1 - p + pyi = 1 - p + p =Pi* ■ (3) 

P 

□ 

In order to show that all values with poo +Pn below the bound given in ([l} 
can be reached, we will need additionally the following lemma. 



Lemma 3. If there exists a protocol P that implements a coin flip 
CF(poo,Pn,Po*,Pi*,P*o,P*i), then, for any p' 0Q < p ao and p' n < p lb there exists 
a protocol P' that implements a coin flip CF(j5q ,p' 11 ,Po*jPi*jP*O j P*i)- 

Proof. P' is defined as follows: The players execute protocol P. If the output is 
i 6 {0, 1}, then Alice changes to A with probability 1 —p'^/pu- If Alice changes 
to A, Bob also changes to A. Obviously, the cheating probabilities are still 
bounded by Po*tPi*iP*o,P*i, which implies that that protocol P' implements a 
CF (Poo>Ki;-Po*,Pi*,P*o,P*i)- □ 

Combining Lemmas [TJ [2] and we obtain Lemma 01 

Lemma 4. Let Poo,PUiPo*tPi*tP*OtP*i € [0, 1]. There exists a classical protocol 
that implements CF(poo;Pii>Po*)Pi*;f>*0;P*i) if 

Poo < Po*P*o , 
Pil < Pi*P*i , and 
Poo +Pu < Po*P*o +Pi*P*i - max(0,p o * + Pi* - 1) max(0,p* +P*i - 1) • 

Proof. If po*+pi* > 1 andp^o+p^i > 1, then Lemmas [5] and [3] imply the bound. 
Otherwise, i.e., if either p * + Pi* < 1 or p*o + P*i < L then max(0,po* + Pi* — 
l)max(0,p*o + P*\ — 1) = and the bound is implied by Lemmas [T] and [3J □ 

3.2 Impossibilities 

The following lemma shows that the bounds obtained in Lemma HI are optimal. 
The proof uses the same idea as the proof of Theorem 7 in [S] . 

Lemma 5. Let the parameters Poo,Pii,Po*tPi*,P*OiP*i oe G [0, 1]. A coin flip 
CF(pooiPn 5 Po*7Pi*,P*o,P*i) can only be implemented by a classical protocol if 

Poo < Po*P*o , 
Pn < Pi*P*i , and 
Poo +Pn < Po*P*o +Pi*P*i - max(0,p o * + Pi* - 1) max(0,p* +P*i - 1) • 

Proof. We can assume that the output is a deterministic function of the tran- 
script of the protocol. This can be enforced by adding an additional round at 
the end of the protocol where the two players tell each other what they are going 
to output. Since we do not require the protocol to be efficient, Lemma 7 in [5] 
implies that we can also assume that the honest parties maintain no internal 
state except for the list of previous messages. 

For any partial transcript t of a protocol, we define as the maximum over 
all transcripts starting with t, i.e., the maximum probability with which Bob can 
force Alice to output 0, given the previous interaction has given t. In the same 
way, we define p**, p* , p\ x . We define p 0Q and p\ x as the probabilities that the 
output of the honest players will be 00 and 11, respectively, given the previous 



interaction has given t. We will now do an induction over all transcripts, showing 
that for all t, we have 

Poo — Po*P*o > 
Pu < PuPli , and 
Poo + Pu < Po*pIo + Pi*pIi - max(0,po* + Pi* - 1) max(0,pto + pti - l ) ■ 

For complete transcripts t, each honest player will output either 0, 1 or A 
with probability 1 and we always have p ^, + p\^ — 1 < and p' + p*x — 1 < 0. 
Therefore, we only need to check that p 00 < Po*Pto and p\ x < p\^p\i- For 
j G {0, 1}, if = 1, then p*„ = p£ ■ = 1, so the condition is satisfied. In all the 
other cases we have pjj = 0, in which case the condition is satisfied as well. 

Let t now be a partial transcript, and let Alice be the next to send a message. 
Let M be the set of all possible transcripts after Alice has sent her message. For 
the induction step, we now assume that the statement holds for all transcript in 
M, and show that then it must also hold for t. Let be the probability that an 
honest Alice will choose message i G M. By definition, we have 

Poo = Y np oo> Pu = Y r ^u> Po* = Y r iP *i Pi* = Y np ^* ' 

ieM ieM ieM ieM 

Plo = maxp*, , p* x = max pi x . 

zeM ieM 

For j G {0, 1} it holds that 

i'jj Y r iPij - Y r ipUp l *o ' Y r *p)*p% = pW* 3 > 

ieM ieM ieM 

which shows the induction step for the first two inequalities. To show the last 
inequality, let 

f(a, b, c, d) := ac+bd — max(0, a + b — 1) max(0, c + d — 1) , 

where a, b, c, d G [0, 1]. If we fix the values c and d, we get the function f c ,d(a, b) := 
/(a, &, c, d). It consists of two linear functions: If a + b < 1, we have 

fc,d( a > b ) = ac + bd , 

and if a + > 1 we have 

fc,d( a , b) = ac+ bd — (a + b — 1) max(0, c + d — 1) . 

Note that these two linear functions are equal if a + b = 1, and we have {a + b — 
1) max(0, c+ d— 1) > ifa + 6 > 1. It follows that f c .d(a, b) is concave, meaning 
that for all 7, a, b, a', b' G [0, 1], we have 



7/c 1 d(o, 6) + (1 - 7)/c,d(a / > < /cdfa + i 1 ~ 7)"', 7& + (1 - iW) ■ (4) 



Since for any a + b ^ 1 and c + d ^ 1 

— f(a,b,c,d)>0 and —f(a,b,c,d)>0, (5) 

we have f(a,b,c',d) > f(a,b,c,d) for c' > c and f(a,b,c,d') > f(a,b,c,d) for 
d' > d. Hence, 

Poo + Pii 

= ^n(p o+fii) 

^ ri (Po*p1o + Pi*Pti - max(0>Po* +j?* u - 1) max(0,pto + Pti - !)) 
<^2 r i (Po*P*o + Pi*P*i - max(0,p Ost - 1) max(0,pto + P*i - !)) 

is A/ 

gj 

< Po*P*o +Pi*P*i - max(0,Po* + Pi* - l)max(0,pto + P*i - 1) - 
and the inequalities also hold for t. The statement follows by induction. □ 
From Lemmas [4] and \E\ we obtain Theorem [T] 

4 Quantum Coin Flipping 
4.1 Protocols 

An unbalanced weak coin flip with error e WCF(z,e) is a CF(z, 1 — z, 1, 1 — 
z + e, z + e, 1), i.e., a coin flip where Alice wins with probability z, Bob with 
probability 1 — z and both cannot increase their probability to win by more 
than e. (They may, however, decrease the probability to 0.) Let WCF(z) := 
WCF(z,0). 

It has been shown by Mochon |15| that weak coin flipping can be implemented 
with an arbitrarily small error. 

Theorem 3 (Mochon [15]). For any constant e > 0, there exists a quantum 
protocol that implements WCF(l/2,£). 

In [14] . Mochon showed that quantum coin- flipping protocols compose se- 
quentially. Implicitly using this result, Chailloux and Kercnidis showed that an 
unbalanced weak coin flip can be implemented from many instances of (balanced) 
weak coin flips. 

Proposition 1 (Chailloux, Kerenidis [6]). For all z G [0,1], there exists a 
classical protocol that uses k instances o/WCF(l/2, e) and implements WCF(x, 2e), 
for a value x £ [0, 1] with \x — z\ < 2~ k . 

The following lemma shows that the parameter z can be slightly changed 
without increasing the error much. 



Lemma 6. For any 1 > z' > z > 0, there exists a classical protocol that uses 1 
instance of WCF(z',e) and implements WCF(z,e + z' — z). 

Proof. The protocol first calls WCF(z',e). If Alice wins, i.e., if the output is 0, 
then she changes the output bit to 1 with probability 1 — z/z', and sends the 
bit to Bob. Bob only accepts changes from to 1, but not from 1 to 0. Alice 
can force the coin to be with probability at most z 1 + e = z + (e + z' — z). 
Let x £ [0, 1 — z 1 + e] be the probability with which a cheating Bob forces the 
protocol WCF(z',e) to output 1. Alice will output 1 with probability 

x / z \ z z z / . z 

x + (I - x) [l - — ) = I - — + x ■ — <l - — + {I - z' + e) ■ — 

V z J z' z z' z 

z 

= 1 — z + e ■ — < 1 — z + e . 
z' 

□ 

Note that for z E {0, 1}, the implementation of WCF(z, 0) is trivial. Hence, 
Theorem [31 Proposition [T] and Lemma [5] imply together that WCF(z,e) can be 
implemented for any z € [0,1] with an arbitrarily small error e. To simplify the 
analysis of our protocols, we will assume that we have access to WCF(z) for 
any z £ [0,1]. The following lemma shows that when WCF(z) is replaced by 
WCF(z,e), the bias of the output is increased by at most 2e. 

Lemma 7. Let P be a protocol that implements CF(poo,Pii,Po*jPi*jP*o>P*i) 
using one instance of WCF(z). // WCF(z) is replaced by WCF(z,e), then P 
implements CF(p cbPiiiPo* + 2e,pi* + 2£,p* + 2e,p +1 + 2e). 

Proof. Let us compare two settings: one where the players execute P using one 
instance of WCF(z,e), and the other where they use one instance of WCF(z). 
When both players are honest, the two settings are obviously identical. Let Alice 
be honest and Bob malicious. For each setting, we can define an event that occurs 
with probability at most e, such that under the condition that the two events do 
not occur, WCF(z) and WCF(z, e) and hence the whole protocol are identical. 
The probability that the two events do not occur is at least 1 — 2e by the union 
bound. Therefore, the probabilities that the honest player outputs (or 1) differ 
by at most 2e. The statement follows. □ 

The following protocol is a generalization of the strong coin-flipping protocol 
S from [6] . It gives optimal bounds for the case where the honest players never 
abort, i.e., p 00 + pu = 1- 



Protocol QCoinFlipl: 

Parameters: x, zq, z\,po,pi € [0,1]. 

— Alice flips a coin a G {0, 1} such that the probability that a = is x 
and sends a to Bob. 



Alice and Bob execute WCF(z Q ). 

If Alice wins, i.e., the outcome is 0, then both output a. 

If Bob wins, then he flips a coin b such that b = a with probability p a - 

Both output b. 



Lemma 8. Let po*,Pi*,P*o,P*i G [0,1] where p*o + p*\ > 1, pa* + Pi* > 1 and 
P*oPo* +P*iPi* = 1- Given access to one instance o/WCF(z), we can implement 
a CF(p 00 ,Pn,Po*,Pi*,P*o,P*i) where p Q0 = p *P*a and pu =p u p*i- 

Proof. We execute Protocol QCoinFlipl, choosing the parameters 

, p*o+P*i-l p*o+p*i-l 
Pi := 1 - , z := , zi := 



and 



x 



P*l P*o 
Po*P*o +p»i — l 



P*Q +P*1 — 1 

Note that 

* l-p*o , - l-p*i 
I — zo = and 1 — zi = . 

P*i P*o 

Since 1 — p*o < p*i and 1 — p*i < p*0j these values are between and 1, and 
hence also zq and z% are between and 1. Frompo* < 1 follows that x < 1, and 
fromp*oPo* > P*oPq* + P*iPi* = 1 that x > 0. Furthermore, we have 

n x P*a+P*i - 1 . (1 -P*i)(l ~P*o) 

Z + (1 - 2: )po = 1 = P*0 (6) 

P*\ P*l 

and 

. /, \ p* +p*i-l . (l-p*x)(l-p*o) 
Zl + (1- Zxjpi = 1 = p*i . 

P*o P*o 
Alice can bias Bob's coin to with probability 

max{z + (1 - z )p ; (1 - Pi)} = P*a 
and to 1 with probability 

max{zi + (1 - (1 - p )} = p*i • 

The probability that Bob can bias Alice's coin to is 

x + (1 — x)(l — Z\) = (1 - Zx) + XZ\ 

_ 1 - p*i Po*P*o +P*i - 1 +P*i - 1 
P*o P*o — 1 P*o 



and the probability that he can bias it to 1 is 
(1 — x) + x{l — zq) = 1 — xzo 



§ Po*P*o+P*i-l P*o+P*i-l 



1 



P*o + P*i — 1 P*l 
Po*P*o +P*i - 1 



p*l 

1 - Po*P*o 

p*l 

Pl*p*l 

= = Pi* • 

p*l 

Furthermore, two honest players output with probability 
xz + x(l - z Q )po + (1 - x)(l - zi)(l -pi) 

= x(z + (1 - z )p a ) + (1 - a;)- — — p*o 

P*o 

= xp*o + (1 - x)(l - p*i) 
= 1 - p*i + 2:(p*o + P*i - 1) 
= Po*P*o 
= Poo 

and 1 with probability 1 — p 00 = 1 — po*p*o = Pi*P*i = Pn- □ 

The following protocol gives optimal bounds for the general case. It uses one 
instance of the above protocol, and lets Alice and Bob abort in some situations. 



Protocol QCoinFlip2: 

Parameters: Protocol P, eo,Si € [0, |]. 

— Alice and Bob execute the coin-flipping protocol P. 

— If Alice obtains 0, she changes to A with probability £q- If Bob obtains 1, 
he changes to A with probability e\. If cither Alice or Bob has changed 
to A, they both output A, otherwise they output the value obtained 
from P. 



Lemma 9. Let p *,Pi*,P*o,P*i & [0,1] where p» + P*i > 1, Po* + Pi* > 1 
and po*p*o + p*ip*i < 1. Given access to WCF(z) for any z € [0,1], we can 
implement a CF(poo,Pii,Po*,Pi*,P*o,P*i) where p 00 — po*p*o and pu =pi*p*i. 

Proof. From p*o +P*i > 1 and po* +Pi* > 1 follows that either p*o + Pi* > 1 or 
Po* +p*i > 1. Without loss of generality, let us assume that p*Q + pi* > 1. 
Let 

/ . (. l-Pi*P*i\ , / l-p *P*o 

Po* : = mm 1, and p mX := . 

V P*o / Pi* 



First, note that since po* < 1 p 1 *^ 1 we have p * > po*. Obviously, we also have 



P&* < 1- Since p'^ < ^ , we have 



/ 1 - Po*P*0 . 1 p.o P *° Pl*P*l 

p*l = > = = p*l ■ 

Pi* Pi* Pi* 

In order to see that p'^ < 1, we need to distinguish two cases. Since p' ^ 



mm 

case 



1, 1 ~ p ^* 1 ), it holds that either p' , = 1 or p „ = 1 ~ p ^* 1 ■ In the first 



, 1 ~P*o „ Pi* 

P*l = < = 1 , 

Pi* Pi* 

and the claim holds. In the second case, 

, l-p'*oP*o l-(l-pi*p*i) ^, 

P*i = = = P*i < 1 i 

Pi* Pi* 

and the claim also holds. Therefore, p'^ < 1. 

Since p »p*o + Pi*P*i = 1 ; according to Lemma [5J we can use protocol 
QCoinFlipl to implement a CF(p 00 ,p' u ,p 0j)0 pi*,p*o,P*i), where p' 00 = p »p*o 
and p' n = pi*p' fl - Using that protocol as protocol P, let Alice and Bob execute 
protocol QCoinFlip2 with Eq : = 1 — Po*/Po*j an d E\ := 1 — p*i/pix- 

The probability that Bob can bias Alice to is now (1 — £o)Po* = Po*> 
and the probability that Alice can bias Bob to 1 is now (1 — £i)p'»i = p*i. 
Furthermore, the probability that two honest players output both is (1 — 
£o)pqo = (1 — £o)Po*P*o = Po*P*o and the probability that they both output 1 is 

(1 - £l)p' u = (1 - £l)pi*p*! = Pl*p*l. □ 

Lemma 10. Let Poo,Pn,Po*,Pi*,P*o,P*i € [0,1] with 

Poo < Po*P*o , 
Pn < Pi*P*i , and 
Poo +P11 < 1 ■ 

Then, for any constant s > 0, there exists a quantum protocol that implements 
CF(poo,Pn,Po* + £,Pi* + £,P*o + £,P*i + £)• 

Proof. Let us first assume that p*o + p*i > 1 and po* + Pi* > 1- We reduce 
the value of po* to poo/p*o and the value of pi* to pn/p*i, which ensures that 
Po*P*o + Pi*P*i < 1- Now we can apply Lemma [HI together with Theorem [31 
Proposition [1] and Lemmas [51 [7] and [3J 

If the assumption does not hold then either p»o + p*i < 1 or po* +Pi* < 1- 
In this case, we can apply Lemmas [1] and [3J □ 



4.2 Impossibilities 



In order to see that the bound obtained in Section 14.11 is tight, we can use the 
proof of Kitaev (printed in [3]) showing that an adversary can always bias 
the outcome of a strong quantum coin-flipping protocol. In fact, Equations (36) 
- (38) in [3] imply that for any quantum coin-flipping protocol, it must hold that 
Pn < Pi*P*i- In the same way, it can be proven that poo < Po*P*o- We obtain 
the following lemma. 

Lemma 11. A CF(poo;Pii)Po*;Pi*;P*0;P*i) can only be implemented by a quan- 
tum protocol if 

Poo < Po*P*o , 
Pn < Pi*P*i , and 
Poo +Pi\ < 1 ■ 

Lemma ITD1 and ITT1 imply together Theorem [5] 
5 Conclusions 

We have shown tight bounds for a general definition of coin flipping, which 
give trade-offs between weak vs. strong coin flipping, between bias vs. abort 
probability, and between classical vs. quantum protocols. 

Our result extends the work of [5], and shows that the whole advantage 
of the quantum setting lies in the ability to do weak coin flips (as shown by 
Mochon [H]). If weak coin flips are available in the classical setting, classical 
protocols can achieve the same bounds as quantum protocols. 

For future work, it would be interesting to see if similar bounds hold for 
the definition of coin flipping without the possibility for the malicious player to 
abort. 
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